Determine permission levels and groups (SharePoint Foundation 2010)

A SharePoint group is a set of users that can be managed together. A permission level is a set of permissions that can be assigned to a specific group for a specific securable object. SharePoint groups and permission levels are defined at the site collection level and are inherited from the parent object by default. This article describes default groups and permission levels and helps you decide whether to use them as they are, customize them, or create different groups and permission levels.

SharePoint groups enable you to manage sets of users instead of individual users. These groups can contain many individual users, or they can include the contents of any corporate identity system, including Active Directory Domain Services (AD DS), LDAPv3-based directories, application-specific databases and new user-centric identity models, such as Windows Live ID. SharePoint groups do not confer specific rights to the site; they are a way to designate a set of users. You can organize your users into any number of groups, depending on the size and complexity of your organization or Web site. SharePoint groups cannot be nested.

The following table displays default groups that are created by using team site templates in SharePoint Foundation 2010. Each default group is assigned a default permission level.

Group name

Default permission level

Description

Visitors

Read

Use this group to grant people Read permissions to the SharePoint site.

Members

Contribute

Use this group to grant people Contribute permissions to the SharePoint site.

Owners

Full Control

Use this group to grant people Full Control permissions to the SharePoint site.

Make most users members of the Visitors or Members groups. By default, users in the Members group can contribute to the site by adding or removing items or documents, but cannot change the structure, site settings, or appearance of the site. The Visitors group has read-only access to the site, which means that they can see pages and items, and open items and documents, but cannot add or remove pages, items, or documents.

Besides the above SharePoint groups, there are also administrator groups for higher-level administration tasks. They are Windows administrators, SharePoint farm administrators, and site collection administrators.

The ability to view, change, or manage a site is determined by the permission level that you assign to a user or group. This permission level controls all permissions for the site and the child objects that inherit the site’s permissions. Without the appropriate permission levels, your users might be unable to perform their tasks, or they might be able to perform tasks that you did not want them to perform.

By default, the following permission levels are available:

Limited Access Includes permissions that enable users to view specific lists, document libraries, list items, folders, or documents, without giving users access to all the elements of a site. You cannot edit this permission level directly.

Note

If this permission level is removed, group members might be unable to navigate the site to access items, even if they have the correct permissions for an item within the site.

Read Includes permissions that enable users to view items on the site pages.

Contribute Includes permissions that enable users to add or change items on the site pages or in lists and document libraries.

Design Includes permissions that enable users to change the layout of site pages by using the browser or Microsoft SharePoint Designer 2010.

The default groups and permission levels provide a general framework for permissions, covering many different organization types and roles within those organizations. However, they might not map exactly to how your users are organized or to the many different tasks that your users perform on your sites. If the default groups and permission levels do not suit your organization, you can create custom groups, change the permissions included in specific permission levels, or create custom permission levels.

The decision to create custom groups is fairly straightforward and has little effect on your site's security. You should create custom groups instead of using the default groups if either of the following situations applies:

You have more (or fewer) user roles within your organization than are apparent in the default groups. For example, if in addition to Designers, you have a set of people who are tasked with publishing content to the site, you might want to create a Publishers group.

There are well-known names for unique roles within your organization that perform very different tasks in the sites. For example, if you are creating a public site to sell your organization's products, you might want to create a Customers group that replaces Visitors or Viewers.

You want to preserve a one-to-one relationship between Windows security groups and the SharePoint groups. For example, if your organization has a security group called Web Site Managers, you might want to use that name as a group name for easy identification when managing the site.

The decision to customize permission levels is less straightforward than the decision to customize SharePoint groups. If you customize the permissions assigned to a permission level, you must keep track of that change, verify that it works for all groups and sites affected by the change, and ensure that the change does not negatively affect your security or your server capacity or performance.

For example, if you customize the Contribute permission level to include the Create Subsites permission that is typically part of the Full Control permission level, Contributors can create and own subsites, and can potentially invite malicious users to their subsites or post unapproved content. If you change the Read permission level to include the Create Alerts permission that is typically part of the Contribute permission level, all members of the Visitors group can create alerts, which might cause performance issues.

You should customize the default permission levels if either of the following situations applies:

A default permission level includes all permissions except one that your users need to do their jobs, and you want to add that permission.

A default permission level includes a permission that your users do not need.

Note

Do not customize the default permission levels if your organization has security or other concerns about a specific permission that is part of the permission level. If you want to make that permission unavailable for all users assigned to the permission level or levels that include that permission, turn off the permission for all Web applications in your server farm, rather than change all of the permission levels. To manage permissions for a Web application, see Manage permissions for a Web application (SharePoint Foundation 2010).

If you need to make several changes to a permission level, create a custom permission level that includes all of the permissions you need.

You might want to create additional permission levels if either of the following conditions applies:

You want to exclude several permissions from a specific permission level.

You want to define a unique set of permissions for a new permission level.

To create a permission level, you can create a permission level and then select the permissions that you want to include.